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In quantum key distribution(QKD), one can use a classical 
CSS code to distill the final key. However, there is a constraint 
for the two codes in CSS code and so far it is unknown how to 
construct a large CSS code efficiently Here we show that the 
BDSW method given by Bennett et al can be modified and 
the error correction and privacy amplification can be done 
separately with two independent parity matrices. With such 
a modification, BDSW method can be used to distill the final 
key without any classical computational complexity. We also 
apply the method to the case of imperfect source where a 
small fraction of signals are tagged by Eve. 

Introduction. Quantum key distribution (QKD) [1-7] 
could be the one that is closest to immediate application 
in practice because of its relative low technical overhead: 
the only thing required there is preparation, transmis- 
sion and measurement of a 2-level quantum state, e.g., a 
single photon. 

The security proof of QKD is strongly non-trivial. How- 
ever, it is greatly simplified if we look at the problem 
from the entanglement distillation viewpoint. The first 
protocol for the entanglement distillation was given by 
Bennett et al [3,4], BDSW protocol. It was then pointed 
out by Deutsch et al [8] that the distillation protocol 
can be used for secure QKD: we can first purify the en- 
tangled pairs and then take measurement in the same 
basis on each side. Latter on, it was shown that [9-11] 
actually the fidelity result of distillation protocol [3] is 
always correct given whatever initial state of the raw 
pairs: Suppose in the case that each raw pairs are in a 
Bell state, the protocol may distill out m pairs in a state 
p whose fidelity to m perfect entangled pairs is almost 1. 
As it has been shown by Lo and Chau [9] , if the fidelity 
is exponentially close to 1, then Eve's information is ex- 
ponentially small. In the most general case, we imagine 
a Bell measurement on each pair just before the distilla- 
tion then we obtain the same p after distillation. In the 
distillation, two remote parties, Alice and Bob need the 
local controlled-NOT gate on each side to collect the par- 
ity information of a random subset of the raw pairs into 
one pair (destination pair) and then measure the parity 
of that pair and discard the destination pair. Note that 
the parity measurement is a collective measurement of 
MiMi. They repeat this step until they they can com- 
pute the location of all flipping errors of the remained m 
pairs. The initial Bell measurement commutes with all 



operations in distillation therefore can be postponed un- 
til the end of the distillation. Moreover, after this delay 
we can even remove the step of Bell measurement: with 
this removal, they finally obtain m pairs in a different 
state, p' , but p and p' have the same fidelity to m perfect 
entangled pairs. And the fidelity value is the only thing 
we are caring about here. Moreover, since all destination 
pairs have been discarded, it does not affect the fidelity 
of p' if they then take local measurement Mi <g> Mi on 
each side to those discarded pairs and then announce the 
outcome. Since this local measurement commute with 
the parity measurement MiMi, they can exchange the or- 
der of them therefore measurement MiMi is unnecessary: 
once they announced the specific result of local measure- 
ment, they have known the parity already. Therefore all 
they need there is just local operation and classical com- 
munication (LOCC), this is just BDSW protocol. 
Therefore, in doing the entanglement purification or pri- 
vacy amplification, we can safely assume that each raw 
pairs are in one of the 4 Bell states, l^*} = -i=(|00} ± 

11}), [V^) = TjdOl) ± 1 10>). Or equivalently, we can 
assume Pauli channel for the qubit transmission: 
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If Alice starts from N pairs of \<p + ) state, the bit-flip rate 
is defined as the percentage of pairs which have been 
changed into state \tp + ) or state phase-flip rate 

is defined as the percentage of pairs which have been 
changed into state \<t>~) or state \ip~). Equivalently, given 
Pauli channel, the channel operation a x or a y causes a 
bit-flip, the channel operation o~ y or o~ z will cause a phase- 
flip. 

The constraint in classical CSS code. The entangle- 
ment distillation can also be done by a type of quantum 
error correction code: the CSS code which is named by 
it's inventors, Calderbank, Shor and Steane [13,14]. They 
use classical linear codes C\ , to correct bit-flip errors 
and amply the privacy of the final key [15]. Here the 
error correction (EC) and privacy amplication (PA) are 
decoupled because of the constraint: 



C 2 C Ci. 



(2) 
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Due to this constraint, it is so far not known on how 
to construct a large classical CSS code efficiently. Es- 
pecially, the construction task is even more complicated 
when we have another constraint: C\ must be efficiently 
decodable, e.g., Spielman code [12]. 
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It is not a problem to construct small CSS codes and we 
can distill the final key concatenatedly. However, this 
method seems not economic: when we use small CSS 
codes, we have to assume a large statistical fluctuation 
therefore decrease the key rate. Another choice is to use 
two-way classical communication in key distillation [11], 
however, the key rate is also low. 

If we use BDSW protocol [3] with one-way random hash- 
ing, we do not need CSS code, we only need a random 
matrix, or a linear code, C. However, in the present 
form of BDSW protocol [3], the error correction and pri- 
vacy amplification are combined together. Whenever any 
hashing step is done, there are backward actions there- 
fore the remained pairs cannot be simply described by the 
criteria of "flipping rate" . To such a case, the efficiently 
decodable error correction code given by Spielman [12] 
cannot be directly applied. If we use Shanon code for 
BDSW protocol, the decoding is complicated. 
In short, there are computational difficulties in both 
BDSW protocol [3] and CSS code [15] for key distilla- 
tion in practice: the construction difficulty in using CSS 
code and the decoding complexity in using BDSW proto- 
col. In this paper, we modify BDSW method so that the 
EC and PA are treated separately with two independent 
linear codes. Moreover, after the modification, we can 
choose to use Spielman's code [12] for EC therefore error 
correction step is done efficiently. There is no compu- 
tational complexity in PA step of our protocol since we 
don't need to really correct the phase-flip errors. 

Modified BDSW protocol: error correction and pri- 
vacy amplification with two independent parity matri- 
ces. We now consider to modify BDSW protocol [3] 
therefore EC and PA can be done separately with two 
independent parity matrices. In a previous work given by 
Lo [16], the BDSW method is modified so that the error 
correction and privacy amplification can be done sepa- 
rately with two independent matrices. However, there, 
a pre-shared secret string used as one-time-pad is re- 
quested. Here we don't use one-time-pad. Our modified 
protocol here is laso different from the hashing method 
given by Ref [17] where the constraint of eq.(2) is used 
and the construction difficulty still exists. 
Given N raw pairs, we can use two N— bit binary strings, 
the bit string Sb and the phase string s p to represent 
the quantum state of these raw pairs. Given any raw 
pair, if it bears a bit-flip, the corresponding element in 
string Sb is 1, otherwise it is 0; if it bears a phase- flip, 
the corresponding element in string s p is 1, otherwise 
it is 0. For example, if the raw pairs are in the state 
\4 l+ )\4' + )\iJ + )\ ( l ) ~)\i ; ~) i the two classical strings are 

s b = 00101; s p = 00011. (3) 

One can see that, the state of raw pairs is explicitly 
known if both bit string and phase string are known. 
In the BDSW protocol [3] for entanglement distillation, 
there are many steps of parity measurement, after each 
step, we discard one pair therefore we have a new short- 
ened strings for the remained pairs. Our purpose is to 



know exactly the strings for the remained pairs after some 
hashing steps. For clarity, we shall use s^, s p i to repre- 
sent the strings of the remained pairs after step i, e.g., 
we use Sbo, s p0 for the initial strings. 
Suppose the bit-flip rate is less than 5b and the phase-flip 
rate is less than S p . Initially the number of likely string 
for Sbo and s p0 are less than Wb and w p , respectively. Here 
Wb, w p are determined by 5b, 5 p : 

w b = 2 N - H ^;w p = 2 N - H ^ (4) 

and 

H(x) = -xlog 2 x- (1 - z)log 2 (l - x). (5) 

After we check the parities in Z basis with an efficiently 
decodable linear code C [12] which corrects 5bN errors, 
we can compute the locations of all bit-flip errors and flip 
them back. Note that after this error-correction, string 
s p changes due to the backward effect. However, the 
number of likely string for s p is still upper bounded by 
uj p , the number of likely string for s p q. To do phase er- 
ror correction is difficult because of the backward effect. 
But to do privacy amplification is simple: Once we know 
the number of likely string for s p , we in principle know 
how to correct all phase errors and this in principle com- 
putability is enough. 

There are two independent elementary operations in the 
modified BDSW protocol: 

(1) Error correction: At step i, the classical binary strings 
for the remained N — i qubits are su , s P i with i being 
started from 0. Alice and Bob generate a random binary 
string ri and measure the parity value of ri ■ su at each 
side and announce the results. The can do the measure- 
ment by first collect the parity of all pairs indicated by 
non-zero elements in ri to the destination pair, di and 
then measure pair di in Z basis at each side. In col- 
lecting the parity into pair di, they only need to do the 
controlled-NOT operations at each side (bi-CNOT) with 
pair di being the target pair and all other pairs indicated 
by ri being the controlled pair. They then discard pair 
di. 

If the initial bit-flip error rate is 5b, the number of likely 
strings for Sbo is 2 NH ( Sb K They need run the step for 
nb = NH(5b) times to compute the explicit form the 
string Sbn b and then Bob takes bit-flip operation to those 
qubits bearing a bit-flip error. The process can be sum- 
marized by error correction through an nb x N random 
matrix. Decoding such a random matrix could be very 
complicated. However, we can first randomly permute 
the qubits and then replace the random matrix by Spiel- 
man code [12] which can be decoded efficiently. 
We now consider the backward action. We denote 
\<f> + ), \<f>~), by |xoo), |Xoi), |Xio), Ixn), respec- 

tively. Given two pair state |Xa,b}|Xa',6'), if we do bi- 
CNOT on this two pairs with the second pair being the 
target, we have 

|Xa,fc)|Xa' : 6'> > \Xa,b®b')\Xa>(Ba,b>). (6) 
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Here © is bitwise sum and each of a, b, a', b' can only 
take or 1. This shows that, given s p i, string s P i+i 
is determined exactly since the backward action is only 
determined by phase flip information of the destination 
pair, pair dj. That is to say, the so-called backward ac- 
tion does not change the number of likely string of s p j. If 
the initial phase- flip rate is 6 P , then the number of likely 
string for each s pi is fixed at uj p0 . After doing error cor- 
rection, they can then start the second elementary step: 
(2) Privacy amplification. If they can also locate all po- 
sitions of phase-flip errors, they can then flip them back 
and obtain pure entangled pairs therefore complete the 
entanglement distillation. At step j, the classical binary 
strings for the remained N — j qubits are Sbj , s p j with 
j being started from rib. Alice and Bob generate a ran- 
dom binary string rj and measure parity value of rj ■ s p j 
at each side and announce the results. The can do the 
measurement by first collect the parity in A— basis of all 
pairs indicated by non-zero elements in rj to the desti- 
nation pair, dj and then measure pair dj in A basis in 
each side. To collect the parity, they only need to take 
bi-CNOTs in A— basis with pair dj being the target pair 
and all other pairs indicated by rj being the controlled 
pair. They then discard pair dj. And they use binary 
string Sbj+i, Spj+i to represent the remained N — j — 1 
qubits. It has been proven [3] that, they only need repeat 
the step for 

n p = N ■ H(S P ) (7) 

times in order to specify the final string of s p . How- 
ever, since their only purpose is to obtain a secure final 
key, they need not take phase-flips to those pairs bear- 
ing a phase-flip error. Instead, they may directly mea- 
sure the remained pairs after n p steps of parity measure- 
ment in A-basis. Moreover, since all destination pairs 
are discarded, the measurements in A basis to them are 
also unnecessary. The only thing now remained here is 
the bi-CNOTs in A— basis. These are equivalent to bi- 
CNOTs in Z— basis with the target pair and the con- 
trolled pairs being reversed. Therefore, all operations 
needed in the distillation arc done in Z basis and Al- 
ice can replace the initial distribution of entangled pairs 
by sending Bob single qubits randomly chosen from the 
BB84 set {|0>, |1), |±> = -^(|0) ± |1))}. In each step j, 
they simply replace each bits in the set indicated by rj 
by the parity of that bit and bit dj and discard the bit 
dj . After error correction and privacy amplification, the 
remained bits can be used as the final key and the key 
rate is 

R=l-H(S b )-H(S p ). (8) 

QKD with imperfect source. Having removed the com- 
putational complexity by the modifying BDSW method 
[3], we now consider a type of physical imperfection of 
source. In practice, it's very often to use the weak coher- 
ent states in stead of a real single photon source, which 
is a difficult technique. However, there will be a small 



fraction of multi-photon signals if we use weak coherent 
states. To those multi-photon signals, Eve may first split 
the light beam, keep one photon with her and send other 
photons to Bob. She will wait until Alice announces the 
measurement basis of that signal. Such a photon num- 
ber splitting (PNS) attack will help Eve to have full in- 
formation of bit values of multi-photon signals without 
disturbing it at all. More generally, we can use the "tag- 
ging" model [18] to describe the type of imperfect source: 
Alice uses perfect single photon source but she tells Eve 
the exact states of a fraction of her signals . That is to 
say, Eve may tag a few of qubits without disturbing them 
at all. Here, we treat the issue in a similar way given by 
rcf [18], but we shall not use CSS code therefore we don't 
have the construction complexity in practice. 
For clarity, we consider the entanglement distillation 
first. Initially, Alice prepares a number of perfect en- 
tangled pairs, \<j> + ). Before entanglement distribution, a 
small fraction A of them are tagged by Eve, i.e., Alice 
measures these tagged pairs in Z basis or A basis and 
tells Eve her measurement bases and outcome. And lat- 
ter, in error test or key distillation, those tagged pair 
will be , only measured it in the same basis used by Alice 
before entanglement distribution. If a tagged pair was 
measured in Z basis, the averaged phase-flip error is a 
half, after passing through whatever noisy channel. The 
proof for this is very simple. According to its definition, 
if the measure the pair at each side in A— basis and 
obtain different outcome, then we say that pair bears a 
phase-flip error. Consider the tagged state |00) or |11). 
// Alice now measures her qubit in A— basis, the out- 
come is totally random and has no correlation with any 
other qubit. No channel can create correlation between 
a qubit and a random result. Therefore, if Bob measures 
his qubit in A— basis, he must have half a chance to ob- 
tain a different outcome, since otherwise his qubit has 
non-zero correlation with Alice's qubit. 
Now let's consider the error test. The measured error rate 
in A— basis on the test pairs does not indicate the correct 
value of phase-flip rate of untested pairs. (Here we only 
consider the asymptotical result. We don't consider the 
statistical fluctuation, for simplicity.) Since Eve can treat 
tagged pairs and untagged pairs differently, we have to 
consider them separately. For those untagged pairs, since 
the measurement basis of each pair is unknown to Eve, 
the result bit errors of the test pairs in A— basis on un- 
tagged pairs can be used to indicate the correct phase-flip 
error rate of the remained untagged pairs. However, for 
those tagged pairs, the situation is different. Alice's mea- 
surement basis has been pre-determined and announced, 
they cannot choose basis randomly latter. The measure- 
ment outcome of tagged pairs in A— basis does not indi- 
cate anything about the phase-flip rate of those untested 
tagged pairs in Z— basis. In fact, the phase-flip rate of 
tagged pairs in Z— basis is fixed to 50% while the bit-flip 
rate of those A— basis tagged pairs can be 0, as Eve likes. 
This shows that, if the tested bit-error rate in A— basis 
is S p , it could be the worst case that the phase-flip rate 
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of the untagged pairs is 6 P /(1 — A) and the phase-flip 
rate to tagged pairs is fixed at 50%. Differently, bit-flip 
error rate can be indicated correctly by the error test. 
Because in this case, the test pairs and the untest pairs 
will be measured in the same basis. Before they do the 
test, Eve cannot tell which pairs will be used as the test 
pairs. Suppose after all error tests, there are N pairs re- 
mained. 

In bit-flip error correction, the backward action is differ- 
ent from that of the perfect source. Say, if the bit-flip 
rate is 5 , we must take NH(5 ) rounds of parity mea- 
surement in Z basis. Note that the number of likely 
phase string, s p on those remained untagged pairs is now 
not fixed, since it is determined by the phase string of 
all pairs (S p ) instead of the phase string untagged pairs 
only (s p ). More specifically, at any round of parity mea- 
surement in Z— basis, if the destination pair is untagged, 
the the number of likely string s p is unchanged. But 
if the destination pair is tagged, the number of likely 
string s p for the remained untagged pairs is doubled: the 
destination pair has half a chance to bear a phase-flip er- 
ror. Actually, the assumption of half a phase-flip error of 
the tagged qubit is also the worst-case assumption: this 
maximizes the number of likely phase string s p for the 
remained untagged pairs. After the bit-flip error correc- 
tions are completed, the number of likely string s p for 
the remained untagged pairs is 



^p. untagged 



2 (1-A 2 )N-H(S P /(1-A))^ 



(9) 



Here we have used the fact that among all destination 
pairs, a fraction A of them had been tagged. 
Now we can consider how to do the privacy amplifica- 
tion (phase-flip correction). Straightly, we assume half a 
phase-flip for each tagged pairs and can just use the in- 
creased phase-flip error rate (S p + A/2) and complete the 
distillation. But our purpose here is only to do privacy 
amplification rather than entanglement purification. Us- 
ing the method giving by ref [18], we can treat the issue 
more sophisticatedly. Since we only want to obtain the 
final key, it makes no difference for Alice and Bob to mea- 
sure each remained pairs in Z— basis before privacy am- 
plification. Suppose they have done so. We now see what 
happens after the privacy amplification is activated. In 
each step of privacy amplification, they randomly choose 
a subset Subj. They then randomly choose an amplify- 
ing bit dj in set Subj. They replace each bit value Vk 
in Subj by Vk vd and vd is the bit value of dj. They 
discard bit dj. They repeat such operations for I times. 
If they are sure that among all I amplifying (discarded) 
bits, at least log 2 w p ^ unta gged of them are originally from 
untagged pairs, then those remained bits originally from 
untagged pairs are perfectly secure. Since this means a 
separate privacy amplification has been taken to the un- 
tagged bits. Explicitly, after I rounds, we denote the set 
of the remained bits originally from untagged pairs by 
{b ui }, we have 



and v u i is the resultant value due to independent privacy 
amplification which only happens to all untagged bits, 
vu is the parity of certain tagged bits. Since v U i itself 
is perfectly secure, b U i is also secure. Therefore, after 
I rounds of privacy amplification, among all of the re- 
mained bits, 1 — A of them arc unconditionally secure 
while A of them could be still insecure. The fraction A 
are those bits which are originally from tagged pairs. In 
particular, 



j _ log2 ^p.untagged _ ^ _|_ £±)N ■ H 



And there are 



q = N 



1-HiM-H ^ -A* ^ 



(11) 



(12) 



bits remained. The next task is to remove those Aq in- 
secure bits. To do so they can simply continue the same 
privacy amplification for another Aq rounds. After ad- 
ditional Aq rounds are taken, each remained bit has the 
form of b' ui © v' ti and {b' ui } and each elements in {b' ui } 
are just the parity of certain subset of b U i and all b' ui are 
independent. The final key rate is 



R f = 1 - A - (1 - A)H{8 b ) 



- H — + A 2 H 



1 



1 



(13) 



Our protocol directly applies to the source of weak coher- 
ent states. In our protocol, Alice may choose to measure 
all of her qubits in the begining and tells Eve the outcome 
of a fraction of them. Given the source of weak coherent 
states, since the phase of each signal is random, it is just 
an imperfect single-photon source that produces multi- 
photon signals occasionally. Here Alice does not tell Eve 
any outcome, but the multi-photon signals play the role 
of tagged qubits, given the PNS attack. 

Summary In summary, we have given a clear picture 
on how to do error correction and privation amplification 
with two independent parity matrices and all computa- 
tional difficulties in practical QKD are removed. We have 
also applied our method to the case of QKD with imper- 
fect source and given a formula for key rate. 
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